1

HealthShare/eHealth  NSW

Disaster  Preparedness  for  Procurement  &  Supply  Chain  Challenges

2

Disaster  Preparedness  Components

3

Incident-­Emergency-­Disaster  Management  Continuum  

• Local  Emergency  Response– Code  response– Evacuation  procedures– Interaction  with  Emergency  Services– Protection  of  Staff– Communication  &  Escalation

4

Incident-­Emergency-­Disaster  Management  Continuum  • Crisis  Management– Declaration,  Decision  Making– Resource  Allocation– Stakeholder    &  Staff  Interaction– Dealing  with  media  – distraction  &  accuracy  

5

Incident-­Emergency-­Disaster  Management  Continuum  • Business  Continuity

– People– Equipment– Facilities– Documents  &  Records– CBORD  &  ICT– Third  Party  Suppliers

6

Incident-­Emergency-­Disaster  Management  Continuum  

• ICT  Continuity– ICT  People– ICT  System– Electronic  Data– Facilities  –(Data  Centre)– Infrastructure

7

PPRR  Risk  Management  Model• Prevention – take  action  to  reduce  or  eliminate  the  likelihood  or  impact  of  an  incident  – Prepare  a  Risk  Management  Plan

• Preparation – take  steps  before  an  incident  to  ensure  an  effective  response  and  recovery  – Conduct  a  Business  Impact  Analysis  

• Response – contain,  control  or  minimise  impact  of  an  incident  –Prepare  an  Incident  Response  Plan

• Recovery – take  steps  to  minimise  disruption  and  recovery  times  – Develop  a  Recovery  Plan  

8

Planning  Process  – based  on  BCP

• Consistent  with  business  continuity  policy• Minimum  level  of  products  &  services  acceptable  to  achieve  its  objectives

• Measurable• Take  into  account  applicable  requirements• Monitored  and  updated  regularly

9

Business  Continuity  Planning• Holistic  management  process  • Identifies  potential  threats  to  an  organisation  • Impact  to  business  operations   if  threats  realised• Provides  a  framework  for  building  organisational  resilience  with  capability  of  an  effective  response

10

Business  Continuity  Planning• Safeguards  interests  of  key  stakeholders,  reputation,  brand,  value  creating  activities/services

• Ensures  operational  resilience   to  support  the  business  needs• Ensures  capability  to  continue  to  meet  customer  critical  products  &  services  regardless  of  any  operational  disruption

• Ensures  maintenance  of  “Business  As  Usual”  management  practices

11

Business  Continuity  Planning• Key  Terms– RTO  =  Recovery  Time  Objective– MAO  =  Maximum  Acceptable  Outage– RPO  =  Recovery  Point  Objective

12

Business  Continuity  Planning• Time– Time  is  applicable  to  every  business  activity– Time  sensitive  business  activities  establish  the  order  in  which  they  must  be  restored.

13

14

15

Business  Continuity  Objectives• Who  will  be  responsible• What  will  be  done• What  resources  will  be  required• When  it  will  be  completed• How  results  will  be  evaluated

16

Recovery    Strategies  Focus

• Business  activity        Critical  Functions• Recovery  issues  &  assumptions• Contingencies• Strategies

17

Strategy  Types• Activity  Contingency  Strategies– Relocation  – logistics  for  moving– Workaround  – procedures  when  key  resources  unavailable  

• Resource  Recovery  Strategies– Resource  replacement,  repair,  recovery  or  alternate  capability

18

Strategy  Types• Common  Strategies  – Resource  or  Activity  Based– Link  more  than  one  Business  Activity  or  Resource• Move  business  activities  to  new  location• Apply  some  emergency  purchasing  process  to  many  resources• Workaround  for  a  group  of  Activities

19

Conducting  a  Business  Impact  Assessment• Objective– Identify  key  critical  business  processes  – Determine  resources  &  dependencies  essential  to  their  operation  

20

Conducting  a  Business  Impact  Assessment• Team  structure• Key  business  objectives  • Critical  success  factors• Key  business  processes  – outputs  &  RTO• Key  staff  and  work  locations

21

Conducting  a  Business  Impact  Assessment• Assess  Impact of  a  process  failing  – Impact  relating  to  whole  of  business  not  just  business  unit

– Consider   impact  over  <1  day,  1  day,  5  days,  10  days  &  30  days

– Consider  Master  Service  Agreements– Assume  failure  occurs  at  worst  possible  time

22

Conducting  a  Business  Impact  Assessment• Financial  &  legal• Communication  &  Information,  Facilities  &  Asset  Management

• Customer  Service  &  Operations  (Workforce)• Reputation  /Brand  (Community  expectation  Leadership  Management)

23

Conducting  a  Business  Impact  Assessment• Emergency  &  Disaster  Response• People  (Safety  &  Security)• Customers  (Health,  Clinical  Care  &  Patient  Safety)

24

Conducting  a  Business  Impact  Assessment• Minor• Moderate• Major• Catastrophic

25

Process  Information• Business  Unit/Department/Process• Location• Primary  customers• Description  (of  output)• Service  level• Worst  time

26

Resources/Dependencies• Key  Staff  (Role/Title)  – include  name  if  desired/required• External  Suppliers  – Supplier  &  name  the  process  or  service• Internal  Suppliers  – Supplier  &  name  the  process  or  service• IT  Applications/Systems/Networks• Vital  Records  (refers  to  non-­electronic  records)• Other  equipment

27

Work  Area  Requirements• Resource• Resource  location• BAU  Number• Description• Critical  process  relying  on  resource• Telephone  re-­direction  destination  number• Alternate  Source

28

From  Immediate  Action  to  Recovery  Assessment  &  Activation• Assess  &  determine  scope  of  incident  and  impact

• Advise  management  &  other  impacted  business  units

• Implement  response  and  determine  whether  to  declare  a  crisis.  

29

From  Immediate  Action  to  Recovery  Assessment  &  Activation• Local  management  determine  potential  for  escalation  into  a  crisis

• Local  &  senior  management  decide  when  to  follow  Recovery  Action  Plan

30

From  Immediate  Action  to  Recovery  Assessment  &  Activation• Recovery  Action  Plan– Recovery  Immediate  Action• Task• Action• Responsibility• Timeframe

31

From  Immediate  Action  to  Recovery  Assessment  &  Activation• Recovery  Assessment– Maintain  communication  with  staff  &  key  stakeholders

– Determine  status  of  critical  processes– Evaluate  recovery  options– Confirm  recovery  strategy  priority,  schedule,  procedure  &  resourcing

32

From  Immediate  Action  to  Recovery  Assessment  &  Activation• Recovery  of  Critical  Processes– Maintain   line  of  communication  with  staff  &  key  internal  stakeholders

– Update  staff  on  HR  policies– Salvage  equipment  &  vital  records  from  affected  facility

– Continue  processing  from  alternative  recovery  site

33

From  Immediate  Action  to  Recovery  Assessment  &  Activation• Resumption    (Return  to  BAU  Operations)– Review  staff  welfare– Initiate  resumption  project– Identify  what  can  be  salvaged– Procure  office/business  space  if  required

34

From  Immediate  Action  to  Recovery  Assessment  &  Activation• Resumption  (Return  to  BAU  Operations)– Move  from  alternate  recovery  site  to  new  or  restored  premises

– Migrate  processing  from  alternative  facility– Introduction  to  new  facility– Communicate  with  stakeholders

35

Testing  Emergency  Management  &  Business  Continuity  Plans• Walkthrough• Tabletop  exercise/discussion• Limited  actual  exercise  – test  critical  processes  &  resources

• Complete  major  exercise  e.g.  live  evacuation

36

Disaster  Preparedness

Questions?